Integer overflow in whoopsie (Ubuntu package) - CVE-2019-11484
Published: November 5, 2019
Vulnerability identifier: #VU22523
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-11484
CWE-ID: CWE-190
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Canonical Ltd.
Affected software:
whoopsie (Ubuntu package)
whoopsie (Ubuntu package)
Detailed vulnerability description
The vulnerability allows a local user to read arbitrary files on the server.
The vulnerability exists due to integer overflow in bson_ensure_space() function in lib/bson/bson.c that is used as a bundled library in whoopsie. A local user can trigger integer overflow and read contents of an arbitrary file on the server.
How to mitigate CVE-2019-11484
Update the affected packages.
- Ubuntu 19.10
- libwhoopsie0 - 0.2.66ubuntu0.1
- whoopsie - 0.2.66ubuntu0.1
- Ubuntu 19.04
- libwhoopsie0 - 0.2.64ubuntu0.2
- whoopsie - 0.2.64ubuntu0.2
- Ubuntu 18.04 LTS
- libwhoopsie0 - 0.2.62ubuntu0.2
- whoopsie - 0.2.62ubuntu0.2
- Ubuntu 16.04 LTS
- libwhoopsie0 - 0.2.52.5ubuntu0.2
- whoopsie - 0.2.52.5ubuntu0.2